on 07-27-2011 10:41 PM
We are doing the AC 10 implementation and found there are around 250 standard risks in the global ruleset. As per the implementation team, they are suggesting to mitigate the risks. My question is do we need to mitigate all the 250 risks now before the installation of Production system and running the actual risk analysis to get the list of violations.
Also is there a way to create the mitigation control for 250 risks together, rather than creating them individually. Maybe some way to upload them.
implementation team, they are suggesting to mitigate the risks. My question is do we need to mitigate all the 250 risks now before the installation of Production system and running the actual risk analysis to get the list of violations.
It depends. May be your LOB wants to see how many risks exists & how many mitigations are carried out before going live You have to check this with your LOB.
Also is there a way to create the mitigation control for 250 risks together, rather than creating them individually. Maybe some way to upload them.
No.. Its a manual task, since the risks that you associate with the mitigation controls, and the mitigation control descriptions, reasons are free flow text fields and can't be uploaded.
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks again for clearing the doubt. The requirement is not coming from LOB, its the rampup team which is suggesting to create the mitigation controls now. Currently only the dev system is configured and the risks findiings will be too high in Dev system.
I am more inclined to run the risk analysis in Productions system and create the mitigation control as the risks identified in Produciton.
Let me share my experience .
First point 251 risk are too much .You should identify that if all 251 risk making sense .If yes ,then you should first go with remediation .Try to clean up so that during analysis number of risk comes down .
Last resort should be Mitigation .
In many case there would be a compliance or Internal Control team that would be owning Mitigation Control .Kindly check in your case if you already have some kind Mitigation control or Internal Control which you can map to your Risk .
Thanks & Regards
Asheesh
I completely agree with Asheesh .
i am also involved with one of the Ramp up teams for AC10 and this is the correct approach that we would have to look at as creating mitigation for all the risks is only the feasible solution .
Once we have the roles cleaned up , this should also help to stay clean. Even after all the roles are cleaned up and we still have some risk , then we would have to look at mitigation process for all these risks.
Dear Asheesh, Raghu and Vikas,
I also agree with all of you. So it means we should only start creating mitigation controls after Go-Live phase. As than, we have the running Production system and can have the actual risks existing in our landscape.
As of now with only the development system running, its not possible to get the risk analysis running and find the risks that will come in Production system.
I will follow the process after the Production system running :
1. Run the risks analysis report to find all the risks.
2. Try to remediate the risk by cleaning up the roles.
3. Send the remaining list of risks(with affected users and roles) to Process owners via email. They can suggest 2 things;
a) to remove the authorization from roles/user if its too risky for user to have; or the user should not be authorization to use that tcode.
b)If not possible, they will suggest security admin to create the mitigation control for it and mitigate.
Please confirm if this is not the correct approach.
Thanks for your replies.
Hi ,
May be for creating MC you need not to wait for production .Ths is a separate exercise which can start in parallel and basically
compliance team will be responsible not security team .
You can kkep MC catalog ready so that in a situation you are not able to remediate ,you need to wait for MC to be created .
Keep MC catalog ready and used it as a last resort .
Thanks & regards
Ashish
My understanding is MC can be created for a Risk without knowing to which user it belong .
Lets take a example :
ME21N and F110 will always a risk ,no matter whisch user is performing these two t codes .
So MC for this can be made handy and when ever user get it they can assign .
But during assignmet of MC to a risk and a user u need to see how efficient MC is going to be for that user .
If you find its not very much efficient for that user scenario you need to go for LOCAL Mitigation Control .
Hope i have answered your question,
Thanks & Regards
Asheesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.